Use This Before Every Launch

Print it, pin it, or drop it into your repo as CHECKS.md. It’s the minimum to keep vibe-coded apps from biting you in production.

1) Prompt + Scaffold

• State auth + roles explicitly; forbid exposing env/debug routes
• Ask for safe defaults: strict CORS, CSRF, secure cookies, health checks
• Generate seed data + fixtures for tests

2) Build

• Keep secrets server-side; no keys in client bundles
• Lock down webhooks: signatures + timestamp checks
• Sanitize AI outputs (escape HTML, safe markdown renderer)
• Add logging hygiene: no PII in client logs

3) Test

• Run Vibe-Eval Checklist preset:
  • Auth bypass attempts (stale tokens, role swaps)
  • Open routes/CORS probes
  • Prompt-injection payloads in chat/forms/uploads
  • Regression flows (signup → checkout → cancel → export)
• Keep snapshots for critical forms/buttons only

4) Ship

• Staging parity: same env flags and secrets behavior as prod
• Feature flags for risky areas; ability to kill features quickly
• Alerting on auth errors + 5xx spikes

5) After Deploy

• Re-run Vibe-Eval against production URL with read-only accounts
• Triage findings within 24 hours; add prompt patches where needed
• Archive reports per release so regressions are explainable

Ready-Made Vibe-Eval Preset

Ask the agent for “2026 Vibe Coding checklist run”:

• Uses seeded admin and user accounts
• Injects hostile prompts, replayed tokens, and deep links
• Produces HAR + screenshot bundle and a short prompt-fix appendix

CTA

Copy the checklist into your project, then wire the preset into CI. Vibe coding stays fun when production is boring.